225,000 Apple Credentials Stolen via New iOS Malware

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Palo Alto Networks and WeipTech researchers recently came across a malware command and control server holding more than 225,000 valid Apple user names and passwords stolen via a new iOS malware family named KeyRaider.

"We believe this to be the largest known Apple account theft caused by malware," Palo Alto Networks senior security researcher Claud Xiao wrote in an analysis of the threat.

The malware, which only impacts jailbroken iOS devices, appears to have impacted users from 18 countries, including China, France, Russia, Japan, the U.K., the U.S., Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

"The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."

The stolen credentials are then leveraged to allow other users to download applications and make in-app purchases for free via two iOS jailbreak tweaks. "The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials," Xiao wrote.

KeyRaider is also capable of acting as ransomware, locking iOS devices and holding them for ransom. "It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered," Xiao noted. "Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server."

The simplest way to avoid being infected by KeyRaider and similar malware, Xiao pointed out, is never to jailbreak your iPhone or iPad if you can avoid it.

Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that while most users are acutely aware of the limitations Apple imposes on the iPhone, many fail to consider the protections that go hand in hand with those limitations. "Jailbreaking your iPhone delivers increased flexibility, but it comes at a cost," he said. "The world outside of Apple's universe isn't always so safe."

And Lieberman Software vice president of product strategy Jonathan Sander said by email that jailbroken iPhones have proven to be easy targets over and over again. "Jailbreaking essentially puts the higher level rights reserved for Apple on the iPhone in the hands of the user and quickly into the hands of the bad guys," he said. "When the bad guys can act like Apple on your iPhone, then they can do anything they want to you."

And the impact can reach far beyond the end user. A recent Centrify Corporation survey of 2,249 U.S. employees found that 45 percent of respondents use at least one Apple device for work purposes. Sixty-three percent of those Apple devices are owned by the user rather than the company, and are used to access e-mail, corporate documents and business applications. Fully 51 percent of iPhones and 58 percent of iPads in the workplace, the survey found, are used to access business applications.

A recent eSecurity Planet article examined the security strengths and weaknesses of both iOS and Android.